A Security Blueprint for Enterprise Networks

Citation preview

W HITE P A PER

SA FE: A Security Blueprint Enterprise N et w ork s

f or

A ut hors

Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference implementation of this architecture at Cisco’s headquarters in San Jose, CA USA. Sean and Bernie are both members of the VPN and Security Architecture Technical M arketing team in Cisco’s Enterprise Line of Business. A b st r a c t

The principle goal of Cisco’s secure blueprint for enterprise networks (SAFE) is to provide best practice information to interested parties on designing and implementing secure networks. SAFE serves as a guide to network designers considering the security requirements of their network. SAFE takes a defense-in-depth approach to network security design. This type of design focuses on the expected threats and their methods of mitigation, rather than on “ Put the firewall here, put the intrusion detection system there.” This strategy results in a layered approach to security where the failure of one security system is not likely to lead to the compromise of network resources. SAFE is based on Cisco products and those of its partners. This document begins with an overview of the architecture, then details the specific modules that make up the actual network design. The first three sections of each module describe the traffic flows, key devices, and expected threats with basic mitigation diagrams. Detailed technical analysis of the design follows, along with more detailed threat mitigation techniques and migration strategies. Appendix A details the validation lab for SAFE and includes configuration snapshots. Appendix B is a primer on network security. Readers who are unfamiliar with basic network security concepts are encouraged to read this section before the rest of the document. Appendix C contains glossary definitions of the technical terms used in this document and a legend for the included figures. This document focuses heavily on threats encountered in enterprise environments. N etwork designers who understand these threats can better decide where and how to deploy mitigation technologies. Without a full understanding of the threats involved in network security, deployments tend to be incorrectly configured, are too focused on security devices, or lack threat response options. By taking the threat-mitigation approach, this document should provide network designers with information for making sound network security choices.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 1 of 66

A udience

Though this document is technical in nature, it can be read at different levels of detail, depending on the reader. A network manager, for example, can read the introductory sections in each area to obtain a good overview of network security design strategies and considerations. A network engineer or designer can read this document in its entirety and gain design information and threat analysis details, which are supported by configuration snapshots for the devices involved. C ave a t s

This document presumes that you already have a security policy in place. Cisco Systems does not recommend deploying security technologies without an associated policy. This document directly addresses the needs of large enterprise customers. Readers interested in security best-practices for smaller networks should read “ SAFE: Extending the Security Blueprint to Small, M idsize, and Remote-User N etworks” at the following URL: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/ safes_wp.htm. Following the guidelines in this document does not guarantee a secure environment, or that you will prevent all intrusions. True absolute security can only be achieved by disconnecting a system from the network, encasing it in concrete, and putting it in the bottom floor of Fort Knox. Your data will be very safe, though inaccessible. H owever, you can achieve reasonable security by establishing a good security policy, following the guidelines in this document, staying up to date on the latest developments in the hacker and security communities, and maintaining and monitoring all systems with sound system administration practices. This includes awareness of application security issues that are not comprehensively addressed in this paper. Though virtual private networks (VPN s) are included in this architecture, they are not described in great detail. Information such as scaling details, resilience strategies, and other topics related to VPN s are covered in more detail in " SAFE VPN : IPSec Virtual Private N etworks in Depth" at the following URL: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/ safev_wp.htm. Like VPN s, identity strategies (including certificate authorities [CAs]) are not discussed at any level of detail in this paper. Similarly, CAs require a level of focus that this document could not provide and still adequately address all the other relevant areas of network security. Also, because most enterprise networks have yet to deploy fully functional CA environments, it is important to discuss how to securely deploy networks without them. Finally, certain advanced networked applications and technologies (such as content networking, caching, and server load balancing) are not included in this document. Although their use within SAFE is to be expected, this paper does not cover their specific security needs. SAFE uses the products of Cisco Systems and its partners. H owever, this document does not specifically refer to products by name. Instead, components are referred to by functional purpose rather than model number or name. During the validation of SAFE, real products were configured in the exact network implementation described in this document. Specific configuration snapshots from the lab are included in Appendix A, “ Validation Lab.” Throughout this document the term “ hacker” denotes an individual who attempts to gain unauthorized access to network resources with malicious intent. While the term “ cracker” is generally regarded as the more accurate word for this type of individual, hacker is used here for readability.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 2 of 66

A r ch i t e c t u r e O ve r v i ew Design Fundam ent als

SAFE emulates as closely as possible the functional requirements of today’s enterprise networks. Implementation decisions varied depending on the network functionality required. H owever, the following design objectives, listed in order of priority, guided the decision-making process. • Security and attack mitigation based on policy • Security implementation throughout the infrastructure (not just on specialized security devices) • Secure management and reporting • Authentication and authorization of users and administrators to critical network resources • Intrusion detection for critical resources and subnets • Support for emerging networked applications First and foremost, SAFE is a security architecture. It must prevent most attacks from successfully affecting valuable network resources. The attacks that succeed in penetrating the first line of defense, or originate from inside the network, must be accurately detected and quickly contained to minimize their effect on the rest of the network. H owever, in being secure, the network must continue to provide critical services that users expect. Proper network security and good network functionality can be provided at the same time. The SAFE architecture is not a revolutionary way of designing networks, but merely a blueprint for making networks secure. SAFE is also resilient and scalable. Resilience in networks includes physical redundancy to protect against a device failure whether through misconfiguration, physical failure, or network attack. Although simpler designs are possible, particularly if a network’s performance needs are not great, this document uses a complex design as an example because designing security in a complex environment is more involved than in simpler environments. O ptions to limit the complexity of the design are discussed throughout this document. At many points in the network design process, you need to choose between using integrated functionality in a network device versus using a specialized functional appliance. The integrated functionality is often attractive because you can implement it on existing equipment, or because the features can interoperate with the rest of the device to provide a better functional solution. Appliances are often used when the depth of functionality required is very advanced or when performance needs require using specialized hardware. M ake your decisions based on the capacity and functionality of the appliance versus the integration advantage of the device. For example, sometimes you can chose an integrated higher-capacity Cisco IO S™ router with IO S firewall software as opposed to a smaller IO S router with a separate firewall. Throughout this architecture, both types of systems are used. M ost critical security functions migrate to dedicated appliances because of the performance requirements of large enterprise networks. M odule Concept

Although most enterprise networks evolve with the growing IT requirements of the enterprise, the SAFE architecture uses a green-field modular approach. A modular approach has two main advantages. First, it allows the architecture to address the security relationship between the various functional blocks of the network. Second, it permits designers to evaluate and implement security on a module by module basis, instead of attempting the complete architecture in a single phase. Figure 1 illustrates the first layer of modularity in SAFE. Each block represents a functional area. The Internet service provider (ISP) module is not implemented by the enterprise, but is included to the extent that specific security features should be requested of an ISP in order to mitigate against certain attacks.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 3 of 66

Figure 1

Enterprise Com posite M odule

SP Edge Frame/ATM Enterprise Campus

Enterprise Edge

ISP A ISP B PSTN

The second layer of modularity, which is illustrated in Figure 2, represents a view of the modules within each functional area. These modules perform specific roles in the network and have specific security requirements, but their sizes are not meant to reflect their scale in a real network. For example, the building module, which represents the end-user devices, may include 80 percent of the network devices. The security design of each module is described separately, but is validated as part of the complete enterprise design. Figure 2

Enterprise SAFE Block Diagram

Enterprise Campus

Enterprise Edge

SP Edge

Building

Building Distribution

M anagement

E-Commerce

ISP B

Corporate Internet

ISP A

VPN & Remote Access

PSTN

WAN

Frame/ATM

Edge Distribution

Core

Server

While it is true that most existing enterprise networks cannot be easily dissected into clear-cut modules, this approach provides a guide for implementing different security functions throughout the network. The authors do not expect network engineers to design their networks identical to the SAFE implementation, but rather use a combination of the modules described and integrate them into the existing network.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 4 of 66

SAFE Axiom s

This section outlines general best practices that apply to the entire SAFE blueprint. They are addressed here in a single location to avoid duplication throughout the individual modules. Routers Are Targets

Routers control access from every network to every network. They advertise networks and filter who can use them, and they are potentially a hacker's best friend. Router security is a critical element in any security deployment. By their nature, routers provide access and, therefore, you should secure them to reduce the likelihood that they can be directly compromised. You can refer to other documents that have been written about router security, which provide more detail on the following subjects: • Locking down Telnet access to a router • Locking down Simple N etwork M anagement Protocol (SN M P) access to a router • Controlling access to a router through the use of Terminal Access Controller Access Control System Plus (TACACS+) • Turning off unneeded services • Logging at appropriate levels • Authentication of routing updates The most current document on router security is available at the following URL: http://www.cisco.com/warp/public/707/21.html Sw itches Are Targets

Like routers, switches (both Layer 2 and Layer 3) have their own set of security considerations. Unlike routers, not as much public information is available about the security risks in switches and what can be done to mitigate those risks. Switches typically rely on virtual LAN s (VLAN s) for Layer 2 traffic segmentation. M ost of the security techniques detailed in the preceding section, “ Routers Are Targets,” apply to switches. In addition, you should take the following precautions: • Disable all unused ports on a switch. This setup prevents hackers from plugging into unused ports and communicating with the rest of the network. • Ports without any need to trunk should have any trunk settings set to off, as opposed to auto. This setup prevents a host from becoming a trunk port and receiving all traffic that would normally reside on a trunk port. • For ports that require trunking, always use a dedicated VLAN identifier. The use of VLAN 1 may have implications for some switch vendors. Eliminate native VLAN s from 802.1q trunks. • When feasible for user ports, limit each port to associate a limited number of M AC address (say 2-3). This will mitigate M AC flooding and other attacks. • As VLAN s do not inherently provide security functions such as confidentiality and authentication, care must be taken to follow the security guidelines defined by Cisco and in this section when implementing VLAN s in any environment. For instance, filtering and/or stateful firewalling in addition to VLAN segmentation provides a defense-in-depth approach to securing the access between two subnets. • Procedures for carrying out change control and configuration analysis must be in place to ensure that a secure configuration results after changes are made. This is especially valuable in cases where multiple organizational groups may control the same switch and even more valuable in security deployments where even greater care must be taken. • Recent testing of Cisco software has shown that as long as care is taken in configuration, specifically following the best practices in this section, VLAN s provide Layer 2 separation. For more information please refer to: http://www.cisco.com/ warp/public/cc/pd/si/casi/ca6000/tech/stake_wp.pdf. Within an existing VLAN , private VLAN s provide some added security to specific network applications. Private VLAN s work by limiting which ports within a VLAN can communicate with other ports in the same VLAN . Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports can communicate with any port. This is an effective way to mitigate the

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 5 of 66

effects of a single compromised host. Consider a standard public services segment with a Web, File Transfer Protocol (FTP), and Domain N ame System (DN S) server. If the DN S server is compromised, a hacker can pursue the other two hosts without passing back through the firewall. If private VLAN s are deployed, if one system is compromised, it cannot communicate with the other systems. The only targets a hacker can pursue are hosts on the other side of the firewall. Because they restrict layer 2 connectivity, private VLAN s make troubleshooting network problems more difficult. Remember that private VLAN s are not supported on all Ethernet switches available on the market today. In particular, most low-end switches do not yet support this feature. Hosts Are Targets

The most likely target during an attack, the host presents some of the most difficult challenges from a security perspective. There are numerous hardware platforms, operating systems, and applications, all of which have updates, patches, and fixes available at different times. Because hosts provide the application services to other hosts that request them, they are extremely visible within the network. For example, many people have visited www.whitehouse.gov, which is a host, but few have attempted to access s2-0.whitehouseisp.net, which is a router. Because of this visibility, hosts are the most frequently attacked devices in any network intrusion attempt. In part because of the security challenges mentioned above, hosts are also the most successfully compromised devices. For example, a given Web server on the Internet might run a hardware platform from one vendor, a network card from another, an operating system from still another vendor, and a Web server that is either open source or from yet another vendor. Additionally, the same Web server might run applications that are freely distributed via the Internet, and might communicate with a database server that starts the variations all over again. That is not to say that the security vulnerabilities are specifically caused by the multisource nature of all of this, but rather that as the complexity of a system increases, so does the likelihood of a failure. To secure hosts, pay careful attention to each of the components within the systems. Keep any systems up-to-date with the latest patches, fixes, and so forth. In particular, pay attention to how these patches affect the operation of other system components. Evaluate all updates on test systems before you implement them in a production environment. Failure to do so might result in the patch itself causing a denial of service (DoS). Netw orks Are Targets

N etwork attacks are among the most difficult attacks to deal with because they typically take advantage of an intrinsic characteristic in the way your network operates. These attacks include A ddress R esolution Protocol (ARP) and M edia A ccess Control (M AC)-based Layer 2 attacks, sniffers, and distributed denial-of-service (DDoS) attacks. Some of the ARP and M AC-based Layer 2 attacks can be mitigated through best practices on switches and routers. Sniffers are discussed in the primer at the end of this document. DDoS, however, is a unique attack that deserves special attention. The worst attack is the one that you cannot stop. When performed properly, DDoS is just such an attack. As outlined in Appendix B, “ N etwork Security Primer,” DDoS works by causing tens or hundreds of machines to simultaneously send spurious data to an IP address. The goal of such an attack is generally not to shut down a particular host, but rather to make the entire network unresponsive. For example, consider an organization with a DS1 (1.5 M bps) connection to the Internet that provides e-commerce services to its Web site users. Such a site is very security conscious and has intrusion detection, firewalls, logging, and active monitoring. Unfortunately, none of these security devices helps when a hacker launches a successful DDoS attack.Consider 100 devices around the world, each with DSL (500 Kbps) connections to the Internet. If these systems are remotely told to flood the serial interface of the e-commerce organization's Internet router, they can easily flood the DS1 with erroneous data. Even if each host is able to generate only 100 Kbps of traffic (lab tests indicate that a stock PC can easily generate 50 M bps with a popular DDoS tool), that amount is still almost ten times the amount of traffic that the e-commerce site can handle. As a result, legitimate Web requests are lost, and the site appears to be down for most users. The local firewall drops all the erroneous data, but by then the damage is done. The traffic has crossed the WAN connection and filled up the link.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 6 of 66

O nly through cooperation with its Internet service provider (ISP) can this fictitious e-commerce company hope to thwart such an attack. An ISP can configure rate limiting on the outbound interface to the company's site. This rate limiting can drop most undesired traffic when it exceeds a prespecified amount of the available bandwidth. The key is to correctly flag traffic as undesired. Common forms of DDoS attacks are Internet Control M essage Protocol (ICM P) floods, TCP SYN floods, or User Datagram Protocol (UDP) floods. In an e-commerce environment, this type of traffic is fairly easy to categorize. O nly when limiting a TCP SYN attack on port 80 (H ypertext Transfer Protocol [H TTP]) does an administrator run the risk of locking out legitimate users during an attack. Even then, it is better to temporarily lock out new legitimate users and retain routing and management connections than to have the router overrun and lose all connectivity. M ore sophisticated attacks use port 80 traffic with the ACK bit set so that the traffic appears to be legitimate Web transactions. It is unlikely that an administrator could properly categorize such an attack because acknowledged TCP communications are exactly the sort that you want to allow into your network. O ne approach to limiting this sort of attack is to follow filtering guidelines for networks outlined in RFC 1918 and RFC 2827. RFC 1918 specifies the networks that are reserved for private use and should never be seen across the public Internet. RFC 2827 filtering is discussed in the “ IP Spoofing” section of Appendix B, “ N etwork Security Primer." For example, for inbound traffic on a router that is connected to the Internet, you employ RFC 1918 and 2827 filtering to prevent this unauthorized traffic from reaching the corporate network. When implemented at the ISP, this filtering prevents DDoS attack packets that use these addresses as sources from traversing the WAN link, potentially saving bandwidth during the attack. Collectively, if ISPs worldwide were to implement the guidelines in RFC 2827, source address spoofing would be greatly diminished. Although this strategy does not directly prevent DDoS attacks, it does prevent such attacks from masking their source, making traceback to the attacking networks much easier. Ask your ISP about which DDoS mitigation options they make available to their customers. Applications Are Targets

Applications are coded by human beings (mostly) and, as such, are subject to numerous errors. These errors can be benign-for example, an error that causes your document to print incorrectly-or malignant-for example, an error that makes the credit card numbers on your database server available via anonymous FTP. It is the malignant problems, as well as other more general security vulnerabilities, that need careful attention. Care needs to be taken to ensure that commercial and public domain applications are up-to-date with the latest security fixes. Public domain applications, as well as custom developed applications, also require code review to ensure that the applications are not introducing any security risks caused by poor programming. This programming can include scenarios such as how an application makes calls to other applications or the O S itself, the privilege level at which the application runs, the degree of trust that the application has for the surrounding systems, and finally, the method the application uses to transport data across the network. The following section discusses intrusion detection systems (IDSs) and how they can help mitigate some of the attacks launched against applications and other functions within the network. Intrusion Detection Systems

Intrusion detection systems (IDSs) act like an alarm system in the physical world. When an IDS detects something that it considers an attack, it can either take corrective action itself or notify a management system for actions by the administrator. Some systems are more or less equipped to respond and prevent such an attack. H ost-based intrusion detection can work by intercepting O S and application calls on an individual host. It can also operate by after-the-fact analysis of local log files. The former approach allows better attack prevention, whereas the latter approach dictates a more passive attack-response role. Because of the specificity of their role, host-based IDS (H IDS) systems are often better at preventing specific attacks than network IDS (N IDS) systems, which usually issue only an alert upon discovery of an attack. H owever, that specificity causes a loss of perspective to the overall network. This is where N IDS excels. Cisco recommends a combination of the two systems-H IDS on critical hosts and N IDS looking over the whole network-for a complete intrusion detection system. Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 7 of 66

When an IDS is deployed, you must tune its implementation to increase its effectiveness and remove " false positives." False-positives are defined as alarms caused by legitimate traffic or activity. False negatives are attacks that the IDS system fails to see. When the IDS is tuned, you can configure it more specifically as to its threat-mitigation role. As mentioned above, you should configure H IDS to stop most valid threats at the host level because it is well prepared to determine that certain activity is, indeed, a threat. When deciding on mitigation roles for N IDS, you have two primary options. Remember that the first step prior to implementing any threat-response option is to adequately tune N IDS to ensure that any perceived threat is legitimate. The first option-and potentially the most damaging if improperly deployed-is to " shun" traffic through the addition of access control filters on routers and firewalls. When a N IDS detects an attack from a particular host over a particular protocol, it can block that host from coming into the network for a predetermined amount of time. Although on the surface this might seem like a great aid to a security administrator, in reality it must be very carefully implemented, if at all. The first problem is that of spoofed addresses. If traffic that matches an attack is seen by the N IDS, and that particular alarm triggers a shun situation, the N IDS will deploy the access list to the device. H owever, if the attack that caused the alarm used a spoofed address, the N IDS has now locked out an address that never initiated an attack. If the IP address that the hacker used happens to be the IP address of a major ISP's outbound H TTP proxy server, a huge number of users could be locked out. This by itself could be an interesting DoS threat in the hands of a creative hacker. To mitigate the risks of shunning, you should generally use it only on TCP traffic, which is much more difficult to successfully spoof than UDP. Use it only in cases where the threat is real and the chance that the attack is a false positive is very low. Also consider setting the shun length very short. This setup will block the user long enough to allow the administrator to decide what permanent action (if any) he/she wants to take against that IP address. H owever, in the interior of a network, many more options exist. With effectively deployed RFC 2827 filtering, spoofed traffic should be very limited. Also, because customers are not generally on the internal network, you can take a more restrictive stance against internally originated attack attempts. Another reason for this is that internal networks do not often have the same level of stateful filtering that edge connections possess. As such, IDS needs to be more heavily relied upon than in the external environment. The second option for N IDS mitigation is the use of TCP resets. As the name implies, TCP resets operate only on TCP traffic and terminate an active attack by sending TCP reset messages to the attacking and attacked host. Because TCP traffic is more difficult to spoof, you should consider using TCP resets more often than shunning. Keep in mind that TCP resets in a switched environment are more challenging than when a standard hub is used, because all ports don't see all traffic without the use of a Switched Port Analyzer (SPAN ) or mirror port. M ake sure this mirror port supports bidirectional traffic flows and can have SPAN port M AC learning disabled. Both of these mitigation options require 24x7 staffing to watch the IDS consoles. Because IT staff are often overworked, consider outsourcing your IDS management to a third party. From a performance standpoint, N IDS observes packets on the wire. If packets are sent faster than the N IDS can process them, there is no degradation to the network because the N IDS does not sit directly in the flows of data. H owever, the N IDS will lose effectiveness and packets could be missed, causing both false negatives and false positives. Be sure to avoid exceeding the capabilities of IDS so that you can get their benefit. From a routing standpoint, IDS, like many state-aware engines, does not operate properly in an asymmetrically routed environment. Packets sent out from one set of routers and switches and returning through another will cause the IDS systems to see only half the traffic, causing false positives and false negatives. Secure M anagement and Reporting

“ If you’re going to log it, read it.” So simple a proposition, that almost everyone familiar with network security has said it at least once. Yet logging and reading information from hundreds of devices can prove to be a challenging proposition. Which logs are most important? H ow do I separate important messages from mere notifications? H ow do I ensure that logs are not tampered with in transit? H ow do I ensure my time-stamps match each other when multiple devices report the same alarm? Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 8 of 66

What information is needed if log data is required for a criminal investigation? H ow do I deal with the volume of messages that can be generated by a large network? You must address all these questions when considering managing log files effectively. From a management standpoint, a different set of questions needs to be asked: H ow do I securely manage a device? H ow can I push content out to public servers and ensure that it is not tampered with in transit? H ow can I track changes on devices to troubleshoot when attacks or network failures occur? From an architectural point of view, providing out-of-band management of network systems is the best first step in any management and reporting strategy. O ut-of-band (O O B), as its name implies, refers to a network on which no production traffic resides. Devices should have a direct local connection to such a network where possible, and where impossible, (due to geographic, or system-related issues) the device should connect via a private encrypted tunnel over the production network. Such a tunnel should be preconfigured to communicate only across the specific ports required for management and reporting. The tunnel should also be locked down so that only appropriate hosts can initiate and terminate tunnels. Be sure that the out-of-band network does not itself create security issues. See the “ M anagement M odule” section of this document for more details. After implementing an O O B management network, dealing with logging and reporting becomes more straightforward. M ost networking devices can send syslog data, which can be invaluable when troubleshooting network problems or security threats. Send this data to one or more syslog analysis hosts on the management network. Depending on the device involved, you can choose various logging levels to ensure that the correct amount of data is sent to the logging devices. You also need to flag device log data within the analysis software to permit granular viewing and reporting. For example, during an attack the log data provided by Layer 2 switches might not be as interesting as the data provided by the intrusion detection system. Specialized applications, such as IDS, often use their own logging protocols to transmit alarm information. Usually this data should be logged to separate management hosts that are better equipped to deal with attack alarms. When combined, alarm data from many different sources can provide information about the overall health of the network. To ensure that log messages are time-synchronized to one another, clocks on hosts and network devices must be in sync. For devices that support it, network time protocol (N TP) provides a way to ensure that accurate time is kept on all devices. When dealing with attacks, seconds matter because it is important to identify the order in which a specified attack took place. O O B management is not always desirable. O ften it depends on the type of management application you are running and the protocols that are required. For example, consider a management tool whose goal is determining reachability of all the devices on the production network. If a critical link failed between two core switches, you would want this management console to alert an administrator. If this management application was configured to use an O O B network, it may never determine that the link has failed since the O O B network makes all devices appear to be attached to a single network. With management applications such as these, it is preferred to run the management application in-band. This in-band management needs to be configured in as secure a manner as possible. O ften this in-band and O O B management can be configured from the same management network provided there is a firewall between the management hosts and the devices needing management. Please see the " M anagement M odule" of this document for more details. When in-band management of a device is required, you should consider several factors. First, what management protocols does the device support? For devices with IP Security (IPSec), devices should be managed by simply creating a tunnel from the management network to the device. This setup allows many insecure management protocols to flow over a single encrypted tunnel. When IPSec is not possible because it is not supported on a device, other less-secure alternatives must be chosen. For configuration of the device, SSH or Secure Sockets Layer (SSL) can often be used instead of Telnet to encrypt any configuration modifications made to a device. These same protocols can sometimes also be used to push and pull data to a device instead of insecure protocols such as TFTP and FTP. O ften, however, TFTP is required on Cisco equipment to back up configurations or to update software versions. This leads to the second question: Does this management channel need to be active at all times? If not, then temporary holes can be placed in a firewall while the management functions are performed and then later removed. This process does not scale with large numbers of devices, however, and should be used sparingly, Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 9 of 66

if at all, in enterprise deployments. If the channel needs to be active at all times, such as with SN M P, the third question should be considered: Do you really need this management tool? O ften SN M P managers are used on the inside of a network to ease troubleshooting and configuration. H owever, SN M P should be treated with the utmost care because the underlying protocol has its own set of security vulnerabilities. If required, consider providing read-only access to devices via SN M P and treat the SN M P community string with the same care you might treat a root password on a critical Unix host. Know that by introducing SN M P into your production network you are introducing a potential vulnerability into your environment. Configuration change management is another issue related to secure management. When a network is under attack, it is important to know the state of critical network devices and when the last known modifications took place. Creating a plan for change management should be a part of your comprehensive security policy, but, at a minimum, record changes using authentication systems on the devices, and archive configurations via FTP or TFTP. En t e r p r i se M o d u l e

The enterprise comprises two functional areas: the campus and the edge. These two areas are further divided into modules that define the various functions of each area in detail. Following the detailed discussion of the modules in the “ Enterprise Campus” and “ Enterprise Edge” sections, the “ Enterprise O ptions” section of this document describes various options for the design. Expected Threat s

From a threat perspective, the Enterprise network is like most networks connected to the Internet. There are internal users who need access out and external users who need access in. There are several common threats that can generate the initial compromise that a hacker needs to further penetrate the network with secondary exploits. First is the threat from internal users. Though statistics vary on the percentage, it is an established fact that the majority of all attacks come from the internal network. Disgruntled employees, corporate spies, visiting guests, and inadvertent bumbling users are all potential sources of such attacks. When designing security, it is important to be aware of the potential for internal threats. Second is the threat to the publicly addressable hosts that are connected to the Internet. These systems will likely be attacked with application layer vulnerabilities and DoS attacks. The final threat is that a hacker might try to determine your data phone numbers by using a “ war-dialer” and try to gain access to the network. War-dialers are software and/or hardware that are designed to dial many phone numbers and determine the type of system on the other end of the connection. Personal systems with remote-control software installed by the user are the most vulnerable, because they typically are not very secure. Because these devices are behind the firewall, once hackers have access via the host they dialed in to, they can impersonate users on the network. For a complete discussion of threat details, refer to Appendix B, “ N etwork Security Primer.”

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 10 of 66

En t e r p r i se C a m p u s

The following is a detailed analysis of all the modules contained within the Enterprise Campus. Figure 3

Enterprise Cam pus Detail

OTP Server Access Control Server

M anagement M odule

Building M odule (users)

Term Server (IOS)

Netw ork M onitoring Building Distribution M odule

IDS Director Syslog 1

Syslog 2 Core M odule System Admin

To e-Commerce M odule Edge Distribution M odule

To Corporate Internet M odule

To VPN/Remote Access M odule To WAN M odule

Server M odule

Cisco Internal Dept. CallM anager Email Server

Corporate Server

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 11 of 66

M anagem ent M odule

The primary goal of the management module is to facilitate the secure management of all devices and hosts within the enterprise SAFE architecture. Logging and reporting information flow from the devices through to the management hosts, while content, configurations, and new software flow to the devices from the management hosts. Figure 4

M anagem ent Traffi c Flow

SAFE Netw ork

M anagement M odule

Syslog Server IDS Log

Access Control

Sys Admin

Device M onitoring

Apps L5-7

Configuration M anagement

L4 Softw are Updates User Authentication SNM P M onitoring L1-3

Syslog and Other Logs

Key Devices

• • • • • • • • •

SN M P M anagem ent host – provides SN M P management for devices N ID S host – provides alarm aggregation for all N IDS devices in the network Syslog host(s) – aggregates log information for Firewall and N IDS hosts A ccess Control Server – delivers one-time, two-factor authentication services to the network devices O ne-Tim e Passw ord (O T P) Server – authorizes one-time password information relayed from the access control server System A dm in host – provides configuration, software, and content changes on devices N ID S appliance – provides Layer 4 to Layer 7 monitoring of key network segments in the module Cisco IO S Firew all – allows granular control for traffic flows between the management hosts and the managed devices L ayer 2 sw itch (w ith private V L A N support) – ensures data from managed devices can only cross directly to the IO S firewall

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 12 of 66

Figure 5

M anagem ent M odule: Detail

OTP Server Access Control Server Netw ork M onitoring IDS Director

x6 Term Server (IOS) To All Device Console Ports elDS-91

elOS-21

Syslog 1

Syslog 2

System Admin

Encrypted In-Band Netw ork M anagement

x6 Sw itch

Out-of-Band Netw ork M anagement

Threats M itigated

• Unauthorized A ccess – filtering at the IO S firewall stops most unauthorized traffic in both directions • M an-in-the-M iddle A ttack s – management data is crossing a private network making man-in-the-middle attacks difficult • N etw ork R econnaissance – because all management traffic crosses this network, it does not cross the production network where it could be intercepted • Passw ord A ttack s – the access control server allows for strong two-factor authentication at each device • IP Spoofing – spoofed traffic is stopped in both directions at the IO S firewall • Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing • Trust Ex ploitation – private VLAN s prevent a compromised device from masquerading as a management host

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 13 of 66

Figure 6

Attack M itigation Roles for M anagem ent M odule

Tw o-Factor Authentication

OTP Server Access Control Server

x6 Term Server (IOS)

To All Device Console Ports

AAA Services Netw ork M onitoring

elDS-91 Comprehensive Layer 4-7 Analysis

Read-Only SNM P IDS Director

Netw ork Log Data

SSH W here Possible

elOS-57 Encrypted In-Band Netw ork M anagement

Syslog 1 Syslog 2

OOB Config M anagement

x6 Sw itch

Stateful Packet Filtering IPsec Termination for M anagement

System Admin

Private VLANs

Config and Content M anagement Hosts IDS for Local Attack

Out-of-Band Netw ork M anagement

Design Guidelines

As can be seen in the above diagram, the SAFE enterprise management network has two network segments that are separated by an IO S router that acts as a firewall and a VPN termination device. The segment outside the firewall connects to all the devices that require management. The segment inside the firewall contains the management hosts themselves and the IO S routers that act as terminal servers. The remaining interface connects to the production network but only for selective Internet access, limited in-band management traffic, and IPSec-protected management traffic from predetermined hosts. As discussed in the “ Axioms” section, in-band management only occurs when the application itself would not function O O B or if the Cisco device being managed did not physically have enough interfaces to support the normal management connection. It is this latter case that employes IPSec tunnels. It is the latter case that employs IPSec tunnels. The IO S firewall is configured to allow syslog information into the management segment, as well as telnet, SSH , and SN M P if these are first initiated by the inside network. Both management subnets operate under an address space that is completely separate from the rest of the production network. This ensures that the management network will not be advertised by any routing protocols. This also enables the production network devices to block any traffic from the management subnets that appears on the production network links. Any in-band management or Internet access occurs through a N AT process on the IO S router that translates the non-routable management IP addresses to prespecified production IP ranges. The management module provides configuration management for nearly all devices in the network through the use of two primary technologies: Cisco IO S routers acting as terminal servers and a dedicated management network segment. The routers provide a reverse-telnet function to the console ports on the Cisco devices throughout the enterprise. M ore extensive management features (software changes, content updates, log and alarm aggregation, and SN M P management) are provided through the dedicated management network segment with caveats as noted above. Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 14 of 66

Because the management network has administrative access to nearly every area of the network, it can be a very attractive target to hackers. The management module has been built with several technologies designed to mitigate those risks. The first primary threat is a hacker attempting to gain access to the management network itself. This threat can only be mitigated through the effective deployment of security features in the remaining modules in the enterprise. All the remaining threats assume that the primary line of defense has been breached. To mitigate the threat of a compromised device, access control is implemented at the firewall, and at every other possible device, to prevent exploitation of the management channel. A compromised device cannot even communicate with other hosts on the same subnet because private VLAN s on the management segment switches force all traffic from the managed devices directly to the IO S firewall where filtering takes place. Password sniffing only reveals useless information because of the one-time password environment. H ost and N etwork IDS are also implemented on the management subnet and are configured in a very restrictive stance. Because the types of traffic on this network should be very limited, any signature match on this segment should be met with an immediate response. SN M P management has its own set of security needs. Keeping SN M P traffic on the management segment allows it to traverse an isolated segment when pulling management information from devices. With SAFE, SN M P management pulls information only from devices rather than allowing it to push changes. To ensure this, each device is only configured with a “ read-only” string. Proper aggregation and analysis of the syslog information is critical to the proper management of a network. From a security perspective, syslog provides important information regarding security violations and configuration changes. Depending on the device in question, different levels of syslog information might be required. H aving full logging with all messages sent might provide too much information for an individual or syslog analysis algorithm to sort. Logging for the sake of logging does not improve security. SN M P " read-write" may be configured when using an O O B network but be aware of the increased security risk due to a clear text string allowing modification of device configurations. For the SAFE validation lab, all configurations were done using standalone management applications and the command-line interface (CLI). N othing in SAFE, however, precludes using more advanced management systems for configuration. Establishing this management module makes deployments of such technology completely viable. CLI and standalone management applications were chosen because the majority of current network deployments use this configuration method. Alternatives

As mentioned in the “ Axioms” section, complete out-of-band management is not always possible. When in-band management is required, more emphasis needs to be placed on securing the transport of the management protocols. This can be through the use of IPSec, SSH , SSL, or any other encrypted and authenticated transport that allows management information to traverse it. When management happens on the same interface that a device uses for user data, importance needs to be placed on passwords, community strings, cryptographic keys, and the access-lists that control communications to the management services. Additionally, if the throughput requirements in the management module are high, consider the use of a dedicated firewall as opposed the router with firewall functionality. The router was chosen because of its flexibility in IPSec configuration and its routing options.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 15 of 66

Core M odule

The core module in the SAFE architecture is nearly identical to the core module of any other network architecture. It merely routes and switches traffic as fast as possible from one network to another. Key Devices

• L ayer 3 sw itching – route and switch production network data from one module to another Figure 7

Core M odule: Detail

To Building Distribution M odule

eL3sw -4

eL3sw -3

To Edge Distribution M odule

To Server M odule

Threats M itigated

• Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing Design Guidelines

Standard implementation guidelines were followed in accordance with the “ core, distribution, and access layer” deployments commonly seen in well-designed Cisco-based networks. Though no unique requirements are defined by the SAFE architecture for the core of enterprise networks, the core switches follow the switch security axiom in the “ Switches Are Targets” section, to ensure that they are well protected against direct attacks. Building Dist ribut ion M odule

The goal of this module is to provide distribution layer services to the building switches; these include routing, quality of service (Q oS), and access control. Requests for data flow into these switches and onto the core, and responses follow the identical path in reverse. Key Devices

• L ayer 3 sw itches – aggregate Layer 2 switches in building module and provide advanced services Figure 8

Building Distribution M odule: Detail

To Building Access M odule

eL3sw -6

eL3sw -5

To Core M odule

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 16 of 66

Threats M itigated

• Unauthorized A ccess – attacks against server module resources are limited by Layer 3 filtering of specific subnets • IP Spoofing – RFC 2827 filtering stops most spoofing attempts • Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing

Figure 9

Attack M itigation Roles for Building Distribution M odule

To Building Access M odule

Inter-Subnet Filtering RFC2827 Filtering

To Core M odule

Design Guidelines

In addition to standard network design fundamentals, the optimizations described in the “ Switches Are Targets” section were implemented to provide added security within the enterprise user community. Intrusion detection is not implemented at the building distribution module because it is implemented in the modules that contains the resources that are likely to be attacked for their content (server, remote access, Internet, and so forth). The building distribution module provides the first line of defense and prevention against internally originated attacks. It can mitigate the chance of a department accessing confidential information on another department’s server through the use of access control. For example, a network that contains marketing and research and development might segment off the R& D server to a specific VLAN and filter access to it ensuring that only R& D staff have access to it. For performance reasons, it is important that this access control be implemented on a hardware platform that can deliver filtered traffic at near wire rates. This generally dictates the use of Layer 3 switching as opposed to more traditional dedicated routing devices. This same access control can also prevent local source-address spoofing through the use of RFC 2827 filtering. Finally, subnet isolation is used to route voice-over-IP (VoIP) traffic to the call manager and any associated gateways. This prevents VoIP traffic from crossing the same segments that all other data traffic crosses, reducing the likelihood of sniffing voice communications, and allows a smoother implementation of Q oS. Complete secure IP Telephony deployment details are outside the scope of this document. Alternatives

Depending on the size and performance requirements of the network, the distribution layer can be combined with the core layer to reduce the number of devices required in the environment. Building M odule

SAFE defines the building module as the extensive network portion that contains end-user workstations, phones, and their associated Layer 2 access points. Its primary goal is to provide services to end users. Key Devices

• L ayer 2 sw itch – provides Layer 2 services to phones and user workstations • User w ork station – provides data services to authorized users on the network • IP phone – provides IP telephony services to users on the network

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 17 of 66

Figure 10

Building Access M odule: Detail

eL2sw -11

eL2sw -12

To Building Distribution M odule

Threats M itigated

• Pack et sniffers – a switched infrastructure and default VLAN services limit the effectiveness of sniffing • Virus and Trojan horse applications – host-based virus scanning prevents most viruses and many Trojan horses Figure 11

Attack M itigation Roles for Building Access M odule

Host Virus Scanning

VLANs

To Building Distribution M odule

Design Guidelines

Because user devices are generally the largest single element of the network, implementing security in a concise and effective manner is challenging. From a security perspective, the building distribution module, rather than anything in the building module, provides most of the access control that is enforced at the end-user level. This is because the Layer 2 switch that the workstations and phones connect to has no capability for Layer 3 access control. In addition to the network security guidelines described in the switch security axiom, host-based virus scanning is implemented at the workstation level. Server M odule

The server module’s primary goal is to provide application services to end users and devices. Traffic flows on the server module are inspected by on-board intrusion detection within the Layer 3 switches. Key Devices

• • • •

L ayer 3 Sw itch – provides layer three services to the servers and inspects data crossing the server module with N IDS Call M anager – performs call routing functions for IP telephony devices in the enterprise Corporate and D epartm ent Servers – delivers file, print, and DN S services to workstations in the building module E-M ail Server – provide SM TP and PO P3 services to internal users Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 18 of 66

Figure 12

Server M odule: Detail

To Core M odule

eL3sw -1

eL3sw -2

Corporate Server

Cisco Internal Dept. CallM anager Email Server

Threats M itigated

• Unauthorized A ccess – mitigated through the use of host-based intrusion detection and access control • A pplication L ayer A ttack s – operating systems, devices, and applications are kept up to date with the latest security fixes and protected by host-based IDS • IP Spoofing – RFC 2827 filtering prevents source address spoofing • Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing • Trust Ex ploitation – trust arrangements are very explicit, private VLAN s prevent hosts on the same subnet from communicating unless necessary • Port R edirection – host-based IDS prevents port redirection agents from being installed Figure 13

Attack M itigation Roles for Server M odule

To Core M odule

NIDS for Server Attacks Private VLANs for Server Connections RFC2827 Filtering Cisco Internal Dept. CallM anager Email Server Host IDS for Local Attack

Design Guidelines

The server module is often overlooked from a security perspective. When examining the levels of access most employees have to the servers to which they attach, the servers can often become the primary goal of internally originated attacks. Simply relying on effective passwords does not provide for a comprehensive attack mitigation strategy. Using host and network-based IDS, private VLAN s, access control, and good system administration practices (such as keeping systems up to date with the latest patches), provides a much more comprehensive response to attacks. Because the N IDS system is limited in the amount of traffic it can analyze, it is important to send it attack-sensitive traffic only. This varies from network to network, but should likely include SM TP, Telnet, FTP, and WWW. The switch-based N IDS was chosen because of its ability to look only at interesting traffic across all VLAN s as defined by the security policy. O nce properly tuned, this IDS can be set up in a restrictive manner, because required traffic streams should be well known. Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 19 of 66

Alternatives

Like the building distribution module, the server module can be combined with the core module if performance needs does not dictate separation. For very sensitive high-performance server environments, bladesinstalling more than one N IDS blade and directing policy-matched traffic to specific blades can scale the N IDS capability in the Layer 3 switch. For critical systems such as the IP telephony call manager or an accounting database, consider separating these hosts from the rest of the module with a stateful firewall. Edge Dist ribut ion M odule

This module’s goal is to aggregate the connectivity from the various elements at the edge. Traffic is filtered and routed from the edge modules and routed into the core. Key Devices

• L ayer 3 sw itches – aggregate edge connectivity and provide advanced services Figure 14

Edge Distribution M odule: Detail

To e-Commerce M odule

eL3sw -7

To Corporate Internet M odule

To VPN/Remote Access M odule

To Core M odule

To WAN M odule eL3sw -8

Threats M itigated

• Unauthorized A ccess – filtering provides granular control over specific edge subnets and their ability to reach areas within the campus • IP Spoofing – RFC 2827 filtering limits locally initiated spoof attacks • N etw ork R econnaissance – filtering limits nonessential traffic from entering the campus limiting a hackers ability to perform network recon • Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 20 of 66

Figure 15

Attack M itigation Roles for Edge Distribution M odule

To e-Commerce M odule Layer 3 Access Control RFC2827 Filtering

To Core M odule

To Corporate Internet M odule

To VPN/Remote Access M odule To WAN M odule

Design Guidelines

The edge distribution module is similar in some respects to the building distribution module in terms of overall function. Both modules employ access control to filter traffic, although the edge distribution module can rely somewhat on the entire edge functional area to perform additional security functions. Both modules use Layer 3 switching to achieve high performance, but the edge distribution module can add additional security functions because the performance requirements are not as great. The edge distribution module provides the last line of defense for all traffic destined to the campus module from the edge module. This includes mitigation of spoofed packets, erroneous routing updates, and provisions for network layer access control. Alternatives

Like the server and building distribution modules, the edge distribution module can be combined with the core module if performance requirements are not as stringent as the SAFE reference implementation. N IDS is not present in this module, but could be placed here through the use of IDS line cards in the Layer 3 switches. It would then reduce the need for N IDS appliances at the exit from the critical edge modules as they connect to the campus. H owever, performance reasons may dictate, as they did in SAFE’s reference design, that dedicated intrusion detection be placed in the various edge modules as opposed to the edge distribution module.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 21 of 66

En t e r p r i se Ed g e

The following is a detailed analysis of all the modules contained within the Enterprise Edge. Figure 16

Enterprise Edge Detail – Part 1

E-commerce M odule

ISP A M odule

To Edge Distribution M odule

ISP A

ISP B M odule

Corporate Internet M odule

ISP B

To Edge Distribution M odule

To VPN/Remote Access M odule

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 22 of 66

Figure 17

Enterprise Edge Detail – Part 2

To Corporate Internet M odule

VPN/Remote Access M odule

To Edge Distribution M odule

PSTN M odule PSTN

WAN M odule To Edge Distribution M odule

Frame/ATM M odule FR/ATM

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 23 of 66

Corporate Internet M odule

The Corporate Internet module provides internal users with connectivity to Internet services and Internet users access to information on public servers. Traffic also flows from this module to the VPN and remote access module where VPN termination takes place. This module is not designed to serve e-commerce type applications. Refer to the “ E-Commerce M odule” section later in this document for more details on providing Internet commerce. Figure 18

Corporate Internet Traffi c Flow

Edge Distribution M odule

ISP M odule

Corporate Internet M odule DNS Apps

SM TP Inspection SM TP

FTP Web

URL Filtering L5-7 Incoming FTP, W EB, DNS, SM TP

L4 In/Out SM TP, DNS

Outgoing SM TP, DNS

Outgoing Internet

Outgoing Internet

L1-3 Out/In VPN

In/Out VPN

Key Devices

• • • • • •

SM T P server – acts as a relay between the Internet and the Internet mail servers – inspects content D N S server – serves as authoritative external DN S server for the enterprise, relays internal requests to the Internet FT P/H T T P server – provides public information about the organization Firew all – provides network-level protection of resources and stateful filtering of traffic N ID S appliance – provides Layer 4 to Layer 7 monitoring of key network segments in the module UR L Filtering Server – filters unauthorized URL requests from the enterprise

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 24 of 66

Figure 19

Corporate Internet M odule: Detail

W EB/FTP

DNS

SM TP

elDS-84 elDS-81 elDS-85

elOS-21

ISP A elOS-23

ePIX-31

To Edge Distribution

elDS-82 elOS-24

elOS-22

ePIX-33

ISP B elDS-83

elDS-86

To VPN/ Remote Access

URL Filtering

Threats M itigated

• • • • • • • • • •

Unauthorized A ccess – mitigated through filtering at the ISP, edge router, and corporate firewall A pplication L ayer A ttack s – mitigated through IDS at the host and network levels Virus and Trojan H orse – mitigated through e-mail content filtering and host IDS Passw ord A ttack s – limited services available to brute force, O S and IDS can detect the threat D enial of Service – rate limiting at ISP edge and TCP setup controls at firewall IP Spoofing – RFC 2827 and 1918 filtering at ISP edge and enterprise edge router Pack et Sniffers – switched infrastructure and host IDS limits exposure N etw ork R econnaissance – IDS detects recon, protocols filtered to limit effectiveness Trust Ex ploitation – restrictive trust model and private VLAN s limit trust-based attacks Port R edirection – restrictive filtering and host IDS limit attack

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 25 of 66

Figure 20

Attack M itigation Roles for Corporate Internet M odule

Host IDS for Local Attack M itigation Focused Layer 4-7 Analysis SM TP Content Inspection

Spoof M itigation Basic Filtering ISP A

To Edge Distribution Focused Layer 4-7 Analysis

To VPN/Remote Access

Inspect Outbound Traffic for Unauthorized URLs

Spoof M itigation (D)DoS Rate-Limiting

Broad Layer 4-7 Analysis Stateful Packet Filtering Basic Layer 7 Filtering Host DoS M itigation

Design Guidelines

The heart of the module is a pair of resilient firewalls, which provide protection for the Internet public services and internal users. Stateful inspection examines traffic in all directions ensuring only legitimate traffic crosses the firewall. Aside from the Layer 2 and Layer 3 resilience built into the module and the stateful failover capability of the firewall, all other design considerations center around security and attack mitigation. Starting at the customer-edge router in the ISP, the egress out of the ISP rate-limits nonessential traffic that exceeds prespecified thresholds in order to mitigate against (D)DoS attacks. Also at the egress of the ISP router, RFC 2827and RFC 1918 filtering mitigate against source-address spoofing of local networks and private address ranges. At the ingress of the first router on the Enterprise network, basic filtering limits the traffic to the expected (addresses and IP services) traffic, providing a coarse filter for the most basic attacks. RFC 1918 and 2827 filtering is also provided here as a verification of the ISP’s filtering. In addition, because of the enormous security threat that they create, the router is configured to drop most fragmented packets that should not generally be seen for standard traffic types on the Internet. Any legitimate traffic lost because of this filtering is considered acceptable when compared to the risk of allowing such traffic. Finally, any IPSec traffic destined for the VPN and remote access module is routed appropriately. Filtering on the interface connected to the VPN module is configured to allow only IPSec traffic to cross, and only when originated from and sent to authorized peers. With remote access VPN s you generally do not know the IP address of the system coming in so filtering can be specific only to the head-end peers with which the remote users are communicating. The N IDS appliance at the public side of the firewall is monitoring for attacks based on Layer 4 to Layer 7 analysis and comparisons against known signatures. Because the ISP and enterprise edge router are filtering certain address ranges and ports, this allows the N IDS appliance to focus on some of the more complex attacks. Still, this N IDS should have alarms set to a lower level than appliances on the inside of the firewall because alarms seen here do not represent actual breaches, but merely attempts.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 26 of 66

The firewall provides connection state enforcement and detailed filtering for sessions initiated through it. Publicly addressable servers have some protection against TCP SYN floods through the use of half-open connection limits on the firewall. From a filtering standpoint, in addition to limiting traffic on the public services segment to relevant addresses and ports, filtering in the opposite direction also takes place. If an attack compromises one of the public servers (by circumventing the firewall, host-based IDS, and network-based IDS) that server should not be able to further attack the network. To mitigate against this type of attack, specific filtering prevents any unauthorized requests from being generated by the public servers to any other location. As an example, the Web server should be filtered so that it cannot originate requests of its own, but merely respond to requests from clients. This helps prevent a hacker from downloading additional utilities to the compromised box after the initial attack. It also helps stop unwanted sessions from being triggered by the hacker during the primary attack. An attack that generates an xterm from the Web server through the firewall to the hacker’s machine is an example of such an attack. In addition, private VLAN s prevent a compromised public server from attacking other servers on the same segment. This traffic is not even detected by the firewall, which is why private VLAN s are critical. Traffic on the content inspection segment is limited to URL filtering requests from the firewall to the URL filtering device. In addition, authenticated requests are allowed from the enterprise URL filtering device out to a master server for database updates. The URL filtering device inspects outbound traffic for unauthorized WWW requests. It communicates directly with the firewall and approves or rejects URL requests sent to its URL inspection engine by the firewall. Its decision is based on a policy managed by the enterprise using classification information of the WWW provided by a third-party service. URL inspection was preferred over standard access filtering because IP addresses often change for unauthorized Web sites, and such filters can grow to be very large. H ost-based IDS software on this server protects against possible attacks that somehow circumvent the firewall. Remember with URL filtering you are sacrificing performance of your H TTP traffic for the greater control this inspection provides. The public services segment includes an N IDS appliance in order to detect attacks on ports that the firewall is configured to permit. These most often are application layer attacks against a specific service or a password attack against a protected service. You need to set this N IDS in a more restrictive stance than the N IDS on the outside of the firewall because signatures matched here have successfully passed through the firewall. Each of the servers have host intrusion detection software on them to monitor against any rogue activity at the O S level, as well as activity in common server applications (H TTP, FTP, SM TP, and so forth). The DN S host should be locked down to respond only to desired commands and eliminate any unnecessary responses that might assist hackers in network reconnaissance. This includes preventing zone-transfers from anywhere but the internal DN S servers. The SM TP server includes mail content inspection services that mitigate against virus and Trojan-type attacks generated against the internal network that are usually introduced through the mail system. The firewall itself filters SM TP messages at Layer 7 to allow only necessary commands to the mail server. The N IDS appliance on the inside interface of the firewall provides a final analysis of attacks. Very few attacks should be detected on this segment because only responses to initiated requests, and a few select ports from the public services segment, are allowed to the inside. O nly sophisticated attacks should be seen on this segment because they generally mean a system on the public services segment has been compromised and the hacker is attempting to leverage this foot-hold to attack the internal network. For example, if the public SM TP server were compromised, a hacker might try to attack the internal mail server over TCP port 25, which is permitted to allow mail transfer between the two hosts. If attacks are seen on this segment, the responses to those attacks should be more severe than those on other segments because they probably indicate that a compromise has already occurred. The use of TCP resets to thwart, for example, the SM TP attack mentioned above, should be seriously considered.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 27 of 66

Alternatives

There are several alternative designs for this module. For example, depending on your attitude towards attack awareness, the N IDS appliances might not be required in front of the firewall. In fact, without basic filtering on the access router, this type of monitoring is not recommended. With the appropriate basic filters, which exist in this design, the IDS outside the firewall can provide important alarm information that would otherwise be dropped by the firewall. Because the amount of alarms generated on this segment is probably large, alarms generated here should have a lower severity than alarms generated behind a firewall. Also, consider logging alarms from this segment to a separate management station to ensure that legitimate alarms from other segments get the appropriate attention. With the visibility that N IDS outside the firewall provides, evaluation of the attack types your organization is attracting can be better seen. In addition, evaluation of the effectiveness of ISP and enterprise edge filters can be performed. Another possible alternative to the proposed design is the elimination of the router between the firewall and the edge distribution module. Though its functions can be integrated into the edge distribution module, the functional separation between modules would be lost because the edge distribution switches would need to be aware of the entire topology of the corporate Internet module to ensure proper routing. In addition, this limits your ability to deploy this architecture in a modular fashion. If an enterprise’s current core is Layer 2, for example, the routing provided in the corporate Internet module would be required. Near-Term Architecture Goals

Developing Cisco firewall technology that can communicate directly with other content inspection devices is needed (for example, network-based virus scanning). Currently, URL filtering is the only supported content filtering function that is directly integrated with Cisco firewall technology. N onintegrated products rely on users operating in a proxy mode that does not properly scale. V PN and Rem ote Access M odule

As the name implies, the primary objective of this module is three-fold: terminate the VPN traffic from remote users, provide a hub for terminating VPN traffic from remote sites, and terminate traditional dial-in users. All the traffic forwarded to the edge distribution is from remote corporate users that are authenticated in some fashion before being allowed through the firewall. Figure 21

Rem ote Access VPN M odule Traffi c Flow

Edge Distribution M odule

Remote Access VPN M odule

ISP M odule

User Authentication L4-7 Dial Remote Access Encrypted Remote Access

Clear Text Remote Traffic

Encrypted Site-to-Site L1-3

IPsec Termination

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 28 of 66

Key Devices

• V PN Concentrator – authenticate individual remote users using Extended Authentication (XAUTH ) and terminate their IPSec tunnels • V PN R outer – authenticate trusted remote sites and provide connectivity using GRE/IPSec tunnels • D ial-In Server – authenticate individual remote users using TACACS+ and terminate their analog connections • Firew all – provide differentiated security for the three different types of remote access • N ID S appliance – provide Layer 4 to Layer 7 monitoring of key network segments in the module Figure 22

Rem ote Access VPN M odule: Detail

eVPN-47

elDS-89

To Internet Via the Corporate Internet M odule

eVPN-48

elOS-25

To Edge Distribution M odule

Remote Access VPN

elDS-87

ePIX-32 elOS-27

elOS-26 elOS-28

elDS-88 Site-to-Site VPN

ePIX-34 elOS-51 elDS-90 elOS-52

PSTN Traditional Dial Access Servers

Threats M itigated

• N etw ork Topology D iscovery – only Internet Key Exchange (IKE) and Encapsulating Security Payload (ESP) are allowed into this segment from the Internet • Passw ord A ttack – O TP authentication reduces the likelihood of a successful password attack • Unauthorized A ccess – firewall services after packet decryption prevent traffic on unauthorized ports • M an-in-the-M iddle – mitigated through encrypted remote traffic • Pack et Sniffers – a switched infrastructure limits the effectiveness of sniffing

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 29 of 66

Figure 23

Attack M itigation Roles for Rem ote Access VPN M odule

Allow Only IPsec Traffic

To Internet Via the Corporate Internet M odule

Authenticate Users Terminate IPsec

Focused Layer 4-7 Analysis

Broad Layer 4-7 Analysis

To Edge Distribution M odule

PSTN Stateful Packet Filtering

Authenticate Remote Site

Authenticate Users

Basic Layer 7 Filtering

Terminate IPsec

Terminate Analog Dial

Design Guidelines

Resilience aside, the core requirement of this module is to have three separate external user services authenticate and terminate. Because the traffic comes from different sources outside of the Enterprise network, the decision was made to provide a separate interface on the firewall for each of these three services. The design consideration for each of these services are addressed below. Remote-Access VPN

The VPN traffic is forwarded from the corporate Internet module access routers, where it is first filtered at the egress point to the specific IP addresses and protocols that are part of the VPN services. Today’s remote-access VPN s can use several different tunneling and security protocols. Although IPSec is the tunneling protocol of choice, many organizations choose Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) because they are natively supported by popular desktop operating systems. In SAFE, IPSec was chosen because the clients require minimal configuration and at the same time provide good security. The remote-access VPN traffic will be addressed to one specific public address using the IKE (UDP 500) protocol, ESP (IP 50) protocol, and UDP Port 10000. IKE provides tunnel setup, ESP encrypts the data, and UDP 10000 is optionally used if ESP traffic is tunneled inside of UDP to get around remote site firewalling restrictions or N AT. Because the IKE connection is not completed until the correct authentication information is provided, this provides a level of deterrence for the potential hacker. As part of the extensions (draft RFCs) of IKE, XAUTH provides an additional user authentication mechanism before the remote user is assigned any IP parameters. The VPN concentrator is “ connected” to the access control server on the management subnet via its management interface. Strong passwords are provided via the one-time password server. O nce authenticated, the remote user is provided with access by receiving IP parameters using another extension of IKE, M O DCFG. Aside from an IP address and the location of name servers (DN S and WIN S), M O DCFG also provides authorization services to control the access of the remote user. For example in SAFE, users are prevented from enabling split tunneling, thereby forcing the user to access the Internet via the corporate connection. The IPSec parameters that are being

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 30 of 66

used are Triple DES for encryption and SH A-H M AC for data integrity. The hardware encryption modules in the VPN concentrator allow remote access VPN services to be scalably deployed to thousands of remote users. Following termination of the VPN tunnel, traffic is sent through a firewall to ensure that VPN users are appropriately filtered. Secure management of this service is achieved by pushing all IPSec and security parameters to the remote users from the central site. Additionally, connections to all management functions are on a dedicated management interface. Dial-in acce ss users

The traditional dial-in users are terminated on one of the two access routers with built-in modems. O nce the Layer 1 connection is established between the user and the server, three-way CH AP is used to authenticate the user. As in the remote-access VPN service the AAA and one-time password servers are used to authenticate and provide passwords. O nce authenticated the users are provided with IP addresses from an IP pool through PPP. Site-to-site VPN

The VPN traffic associated with site-to-site connections consists of GRE tunnels protected by an IPSec protocol in transport mode using Encapsulated Security Payload (ESP). As in the remote-access case, the traffic that is forwarded from the corporate Internet module can be limited to the specific destination addresses on the two VPN routers and the source addresses expected from the remote sites. The ESP protocol and the IKE protocol will be the only two expected on this link. GRE is used to provide a full-service routed link that will carry multiprotocol, routing protocol, and multicast traffic. Because routing protocols (Enhanced Interior Gateway Routing Protocol [EIGRP] is being used between remote sites) can detect link failure, the GRE tunnel provides a resilience mechanism for the remote sites if they build two generic routing encapsulation (GRE) connections one to each of the central VPN routers. As in remote-access VPN , 3DES and SH A-H M AC are used for IKE and IPSec parameters to provide the maximum security with little effect on performance. IPSec hardware accelerators are used in the VPN routers. Rest of the module

The traffic from the three services is aggregated by the firewall onto one private interface before being sent to the edge distribution module via a pair of routers. The firewall must be configured with the right type of constraining access control to allow only the appropriate traffic through to the inside interface of the firewall from each of the services. In addition to access control, the firewalls provide a point of auditing for all VPN traffic and an enforcement point for N IDS threat response. A pair of N IDS appliances are positioned at the public side of the module to detect any network “ reconnaissance” activity targeted at the VPN termination devices. O n this segment, only IPSec (IKE/ESP) traffic should be seen. Because the N IDS system can not see inside the IPSec packets, any alarm on this network indicates a failure or compromise of the surrounding devices. As such, these alarms should be set to high severity levels. A second pair of N IDS are positioned after the firewall to detect any attacks that made it through the rest of the module. All users crossing this segment should be bound to, or coming from a remote location so any shunning or TCP resets will only affect those users. This allows a more restrictive stance for the N IDS as opposed to, say, the corporate Internet module where some of the N IDS devices have the potential to shut out legitimate users if too loosely configured. Alternatives

In VPN and authentication technology, there are many alternatives available depending on the requirements of the network. These alternatives are listed below for reference, but the details are not addressed in this document. • Smart-card and/or Bio-metric authentication • L2TP and/or PPTP remote-access VPN tunnels • Certificate Authorities (CAs) • IKE keep-alive resilience mechanism • M ultiprotocol Label Switching (M PLS) VPN s

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 31 of 66

In the SAFE VPN document an alternative VPN design is proposed which significantly increases the scalability of the VPN solution. This design adds L3 switches as a routing distribution layer before the clear-text traffic is sent through the firewall. Interested readers should refer to SAFE VPN at the following URL: http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/ safev_wp.htm. WAN M M odule

Rather than being all-inclusive of potential WAN designs, this module shows resilience and security for WAN termination. Using Frame Relay encapsulation, traffic is routed between remote sites and the central site. Key Devices

• IO S R outer – using routing, access-control, Q oS mechanisms Figure 24

WAN M odule: Detail

elOS-61 To Edge Distribution M odule

FR/ATM

elOS-62

Threats M itigated

• IP Spoofing – mitigated through L3 filtering • Unauthorized A ccess – simple access control on the router can limit the types of protocols to which branches have access Figure 25

Attack M itigation Roles for WAN M odule

To Edge Distribution M odule

FR/ATM Layer 3 Access Control

Design Guidelines

The resilience is provided by the dual connection from the service provider, through the routers, and to the edge distribution module. Security is provided by using IO S security features. Input access-lists are used to block all unwanted traffic from the remote branch. Alternatives

Some organizations that are very concerned about information privacy encrypt highly confidential traffic on their WAN links. Similarly to site-to-site VPN s, you can use IPSec to achieve this information privacy.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 32 of 66

E-Com m erce M odule

Because e-commerce is the primary objective of this module, the balance between access and security must be carefully weighed. Splitting the e-commerce transaction into three components allows the architecture to provide various levels of security without impeding access. Figure 26

E-Com m erce Traffi c Flow

Edge Distribution M odule

ISP M odule

e-Commerce M odule DB

Apps

Web

Apps

L5-7

L4 Incoming Requests

L1-3

Key Devices

• • • • • •

W eb server – acts as the primary user interface for the navigation of the e-commerce store A pplication server – is the platform for the various applications required by the Web server D atabase server – is the critical information that is the heart of the e-commerce business implementation Firew all – governs communication between the various levels of security and trust in the system N ID S appliance – provides monitoring of key network segments in the module L ayer 3 sw itch w ith ID S m odule – is the scalable e-commerce input device with integrated security monitoring

Figure 27

E-Com m erce M odule: Detail

Database Servers

Application Servers

To Edge Distribution M odule

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 33 of 66

Web Servers

Threats M itigated

• • • • • • • •

Unauthorized A ccess – stateful firewalling and ACLs limit exposure to specific protocols A pplication L ayer A ttack s – attacks are mitigated through the use of IDS D enial of Service – ISP filtering and rate-limiting reduce (D)DoS potential IP Spoofing – RFC 2827 and 1918 prevent locally originated spoofed packets and limit remote spoof attempts Pack et Sniffers – a switched infrastructure and H IDS limits the effectiveness of sniffing N etw ork R econnaissance – ports are limited to only what is necessary, ICM P is restricted Trust Ex ploitation – firewalls ensure communication flows only in the proper direction on the proper service Port R edirection – H IDS and firewall filtering limit exposure to these attacks

Figure 28

Attack M itigation Roles for E-Com m erce M odule

Host IDS for Local Attack M itigation

Focused Layer 4-7 Analysis

Focused Layer 4-7 Analysis

ISP A To Edge Distribution Stateful Packet Filtering Spoof M itigation

Basic Layer 7 Filtering

(D)DoS Rate-Limiting Focused Layer 4-7 Analysis

Layer 4 Filtering

Stateful Packet Filtering Basic Layer 7 Filtering

Broad Layer 4-7 Analysis

Host DoS M itigation

W ire Speed Access Control

Design Implementation Description

The heart of the module is two pairs of resilient firewalls that provide protection for the three levels of servers: Web, application, and database. Some added protection is provided by the ISP edge routers at the ISP and the Enterprise. The design is best understood by considering the traffic flow sequence and direction for a typical e-commerce transaction. The e-commerce customer initiates an H TTP connection to the Web server after receiving the IP address from a DN S server hosted at the ISP network. The DN S is hosted on a different network to reduce the amount of protocols required by the e-commerce application. The first set of firewalls must be configured to allow this protocol through to that particular address. The return traffic for this connection is allowed back, but there is no need for any communication initiated by the Web server back out the Internet. The firewall should block this path in order to limit the options of hackers if they had control of one of the Web servers. As the user navigates the Web site, certain link selections cause the Web server to initiate a request to the application server on the inside interface. This connection must be permitted by the first firewall, as well as the associated return traffic. As in the case with the Web server, there is no reason for the application server to initiate a connection to the Web server or even out to the Internet. Likewise, the user’s entire session runs over H TTP and SSL with no ability to communicate directly with the application server or the database server.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 34 of 66

At one point, the user will want to perform a transaction. The Web server will want to protect this transaction and the SSL protocol will be required from the Internet to the Web server. At the same time, the application server might want to query or pass information on to the database server. These are typically SQ L queries that are initiated by the application server to the database server and not vice versa. These queries run through the second firewall to the database server. Depending on the specific applications in use, the database server might need to communicate with back-end systems located in the server module of the enterprise. In summary, the firewalls must allow only three specific communication paths, each with its own protocol, and block all other communication unless it is the return path packets that are associated with the three original paths. The servers themselves must be fully protectedespecially the Web serverwhich is a publicly-addressable host. The operating system and Web server application must be patched to the latest versions and monitored by the host intrusion detection software. This should mitigate against most application layer primary and secondary attacks such as port redirection and root kits. The other servers should have similar security in case the first server or firewall is compromised. Beyond the Firewall

The e-commerce firewalls are initially protected by the customer edge router at the ISP. At the router egress point, towards the enterprise, the ISP can limit the traffic to the small number of protocols required for e-commerce with a destination address of the Web servers only. Routing protocol updates (generally Border Gateway Protocol [BGP]) are required by the edge routers, and all other traffic should be blocked. The ISP should implement rate limiting as specified in the “ SAFE Axioms” section in order to mitigate (D)DoS attacks. In addition, filtering according to RFC1918 and RFC2827 should also be implemented by the ISP. O n the enterprise premises, the initial router serves only as an interface to the ISP. The Layer 3 switch does all the network processing because it has features off-loaded to hardware processors. The Layer 3 switches participate in the full BGP routing decision in order to decide which ISP has the better route to the particular user. The Layer 3 switches also provide verification filtering in keeping with the ISP filtering described above; this provides overlapping security. Thirdly, the Layer 3 switches provide built-in IDS monitoring. If the connection to the Internet exceeds the capacity of the IDS line card, you might need to look only at inbound Web requests from the Internet on the IDS line card. While this will miss some http alarm signatures (approximately 10 percent), it is better than looking at the entire stream in both directions, where many misses would occur. The other N IDS appliances behind the various interfaces of the firewall monitor the segments for any attacks that might have penetrated the first line of defense. For example, if the Web server is out of date, hackers could compromise it over an application layer attack assuming they were able to circumvent the H IDS. As in the corporate Internet module, the false-positives must be removed so that all true attack detections are treated with the correct level of priority. In fact, because only certain types of traffic exist on certain segments, you can tune N IDS very tightly. From an application standpoint, the communications paths between the various layers (web, apps, dbase) should be encrypted, transactional, and highly authenticated. For example, if the apps server were to get data from the database over some type of scripted interactive session (SSH , FTP, Telnet, and so forth) a hacker could leverage that interactive session to initiate an application layer attack. By employing secure communications, you can limit potential threats. The Layer 2 switches that supporting the various firewall segments provide the ability to implement private VLAN s, thereby implementing a trust model that matches the desired traffic communication on a particular segment and eliminates all others. For example, there is usually no reason for one Web server to communicate with another Web server. The management of the entire module is done completely out of band as in the rest of the architecture.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 35 of 66

Alternatives

The principle alternative to this deployment is co-locating the entire system at an ISP. Though the design remains the same, there are two primary differences. The first is that bandwidth is generally larger to the ISP and uses a LAN connection. Though not recommended, this potentially eliminates the need for the edge routers in the proposed design. The additional bandwidth also creates different requirements for (D)DoS mitigation. The second is the connection back to the enterprise, which needs to be managed in a different way. Alternatives include encryption and private lines. Using these technologies creates additional security considerations depending on the location of the connections and their intended use. There are several variations on the primary design for this module. Aside from listing the alternatives, further discussion is beyond the scope of this paper. • The use of additional firewalls is one alternative. Sample communications would be edge routing -> firewall -> web server -> firewall -> applications server -> firewall -> database server. This allows each firewall to only control communications for one primary system. • Load-balancing and caching technologies are not specifically discussed in this paper, but can be overlaid onto this architecture without major modifications. • For very high security requirements, the use of multiple firewall types may be considered. N ote that this creates additional management overhead in duplicating policy on disparate systems. The goal of these designs is to avoid a vulnerability in one firewall from circumventing the security of the entire system. These types of designs tend to be very firewall centric and do not adequately take advantage of IDS and other security technologies to mitigate the risk of a single firewall vulnerability. Enterprise Opt ions

The design process is often a series of trade-offs. This short subsection of the document highlights some of the high-level options that a network designer could implement if faced with tighter budget constraints. Some of these trade-offs are done at the module level, while others are done at the component level. A first option is to collapse the distribution modules into the core module. This reduces the number of Layer 3 switches by 50 percent. The cost savings would be traded-off against performance requirements in the core of the network and flexibility to implement all the distribution security filtering. A second option is to merge the functionality of the VPN and Remote Access module with the corporate Internet module. Their structure is very similar, with a pair of firewalls at the heart of the module, surrounded by N IDS appliances. This may be possible without loss of functionality if the performance of the components matches the combined traffic requirements of the modules and if the firewall has enough interfaces to accommodate the different services. Keep in mind that as functions are aggregated to single devices the potential for human error increases. Some organizations go even further and include the e-commerce functions in the corporate Internet/VPN module. The authors feel that the risk of doing this far outweighs any cost savings unless the e-commerce needs are minimal. Separation of the e-commerce traffic from general Internet traffic allows the e-commerce bandwidth to be better optimized by allowing the ISP to place more restrictive filtering and rate-limiting technology to mitigate against DDoS attacks. A third option is to eliminate some of the N IDS appliances. Depending on your operational threat response strategy, you might need fewer N IDS appliances. This number is also affected by the amount of H ost IDS deployed because this might reduce the need for N IDS in certain locations. This is discussed, where appropriate, in the specific modules. Clearly, network design is not an exact science. Choices must always be made depending on the specific requirements facing the designer. The authors are not proposing that any designer would implement this architecture verbatim, but would encourage designers to make educated choices about network security grounded in this proven implementation.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 36 of 66

M igrat ion St rat egies

SAFE is a guide for implementing security on the enterprise network. It is not meant to serve as a security policy for any enterprise networks, nor is it meant to serve as the all-encompassing design for providing full security for all existing networks. Rather, SAFE is a template that enables network designers to consider how they design and implement their enterprise network in order to meet their security requirements. Establishing a security policy should be the first activity in migrating the network to a secure infrastructure. Basic recommendations for a security policy can be found at the end of the document in Appendix B, “ N etwork Security Primer.” After the policy is established, the network designer should consider the security axioms described in the first section of this document and see how they provide more detail to map the policy on the existing network infrastructure. There is enough flexibility in the architecture and detail about the design considerations to enable the SAFE architecture elements to be adapted to most enterprise networks. For example, in the VPN and Remote Access module, the various flows of traffic from public networks are each given a separate pair of terminating devices and a separate interface on the firewall. The VPN traffic could be combined in one pair of devices, if the load requirements permitted it and the security policy was the same for both types of traffic. O n another network, the traditional dial-in and remote-access VPN users might be allowed directly into the network because the security policy puts enough trust in the authentication mechanisms that permit the connection to the network in the first place. SAFE allows the designer to address the security requirements of each network function almost independently of each other. Each module is generally self-contained and assumes that any interconnected module is only at a basic security level. This allows network designers to use a phased approach to securing the enterprise network. They can address securing the most critical network functions as determined by the policy without redesigning the entire network. The exception to this is the management module. During the initial SAFE implementation, the management module should be implemented in parallel with the first module. As the rest of the network is migrated, the management module can be connected to the remaining locations.

Cisco Systems Copyright © 2000 Cisco Systems, Inc. All Rights Reserved. Page 37 of 66

A p p e n d i x A : Va l i d a t i o n La b

A reference SAFE implementation exists to validate the functionality described in this document. This appendix details the configurations of the specific devices within each module as well as the overall guidelines for general device configuration. The following are configuration snap-shots from the live devices in the lab. The authors do not recommend applying these configurations directly to a production network. Overall Guidelines

The configurations presented here correspond in part to the SAFE Axioms presented earlier in this document. Routers

H ere are the basic configuration options present on nearly all routers in the SAFE lab: ! turn off unnecessary services ! no ip domain-lookup no cdp run no ip http server no ip source-route no service finger no ip bootp server no service udp-small-s no service tcp-small-s ! !turn on logging and snmp ! service timestamp log datetime localtime logging 192.168.253.56 logging 192.168.253.51 snmp-server community Txo~QbW3XM ro 98 ! !set passwords and access restrictions ! service password-encryption enable secret %Z